Before you begin
This task assumes that you have enabled the OAuth 2.0 feature.
About this task
Before you can use the WebSphere® Application
Server as an OAuth service provider, you need to create one or more
OAuth providers. The OAuth service provider includes the authorization
server and the resource server.
Procedure
- Create OAuth provider. To create an OAuth provider,
you must have an OAuth provider configuration file. This provider
configuration file must exist before you can create an OAuth provider.
You can use the OauthConfigSample.xml sample
provider configuration file under the app_server_root/properties directory
as a template for creating the provider configuration file for your
OAuth scenarios.
Before creating the OAuth provider, ensure that
the value of the filterparameter in the provider
configuration file matches the URL of the protected resource.
You
can create the OAuth provider by using either the wsadmin command
utility or the administrative console.
- Create the OAuth provider by using the wsadmin utility.
- Start the WebSphere Application
Server.
- Start the wsadmin command-line utility
from the app_server_root/bin directory by entering
the command: wsadmin -lang jython.
- At the wsadmin prompt, enter the
following command: AdminTask.createOAuthProvider('[-providerName <OAuthProviderName>
-fileName <ProviderConfigFile>]') where OAuthProviderName is
the OAuth provider name, and ProviderConfigFile is
the full path name of the OAuth provider configuration file.
For example:
AdminTask.createOAuthProvider('[-providerName OAuthConfigSample -fileName
c:/temp/OAuthConfigSample.xml]')
Note: The
previous command copies the provider configuration file to the <was_profile_root>/config/cells/<cell_name>/oauth20 directory.
- Save the configuration by entering the following command: AdminConfig.save().
- Exit the wsadmin command utility by
entering the following command: quit.
- Restart the WebSphere Application
Server.
- Create the OAuth provider by using the administrative console.
- Copy the provider configuration file to the <was_profile_home>/config/cells/<cell_name>/oauth20 directory.
- Log on to the WebSphere Application
Server administrative console.
- Click .
- Expand .
- Click .
- Click .
- Click .
- Under , add the following properties:
Name: provider_1.name
Value: <OauthProviderName>
Avoid trouble: The provider name must be the same as the provider
configuration file name, without the file extension. For example,
if the provider configuration file is
OauthConfigSample.xml,
you must specify
OauthConfigSample as the provider
name.
gotcha
Name: provider_1.filter
Value: <filter_condition>
The
value of the filter property specifies the filter condition for the
protected resource. For example:
request-url%=snoop, applicationNames==OAuthApplication
- Click .
- Restart the WebSphere Application
Server.
- Register OAuth clients. Before OAuth clients
can access any resources protected by the OAuth trust association
interceptor (TAI), the clients must be registered with the OAuth service
provider. You can register clients by using one of the following two
methods.
- Registering clients by using an XML file.
You can use an
XML file for storing the registered clients. The OauthConfigSample.xml template
provider configuration file provides a com.ibm.ws.security.oauth20.plugins.BaseClientProvider class
that stores the registered clients in the base.clients.xml file.
The base.clients.xml file must exist in the same
directory as the provider configuration file under <was_profile_root>/config/cells/<cell_name>/oauth20.
If
you want to use the BaseClientProvider class for
registering clients by using an XML file, you must add one or more
OAuth clients to the base.clients.xml file. You
can use the base.clients.xml file under the <app_server_root>/properties directory
as a template for adding registered clients.
Results
Your WebSphere Application
Server is now configured as a service provider for OAuth 2.0.
What to do next
For additional configuration options for your service provider,
see the following topics:
- OAuth TAI custom properties
- OAuth command group for the AdminTask object